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1 

METHOD FOR ENCRYPTION OF INFORMATION 
FIELD OF INVENTION 

The present invention relates to a method of encrypting 
information between a stationary network and a mobile station 
in a mobile radio system of the time division multiple access 
type (TDMA system). 

More specifically, the invention relates to methods of 
encrypting the transmitted information in a more secure 
fashion in conjunction with an authorization check on the 
mobile by the network and when a multiple of time slots are 
used for the same user (mobile station) . 

DESCRIPTION OF THE BACKGROUND ART 

The GSM-network, common in Europe, is a mobile radio network 
that uses time division multiple access (TDMA) . As with other 
mobile radio networks, the GSM network employs authorization 
checks and encryption of transmitted messages. With regard 
to the GSM network, this is specified in "GSM specification 
03.20-, May 1994, issued by ETSI (European Telecommunication 
Standard Institute) and hereinafter referred to as ETSI/GSM 
03.20. The various algorithms used in authorization checks 
and encryption are described in this reference. 

An algorithm A3 is used to effect actual authorization checks 
between network and subscriber apparatus, an algorithm A5 is 
used for encryption of the payload information to be trans- 
mitted, and an algorithm A8 is used to form from the sub- 
scriber authorization key Ki an encryption key Kc from a 
random number variable, RAND. 

As a rule, only one time slot per frame for a given connec- 
tion is used in TDMA-type time division mobile radio systems; 
see ETSI/GSM 05.02. 
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The use of two or more time slots, not necessarily consecu- 
tive time slots, in a transmission frame has been proposed, 
see ETSI/STC SMG3, T doc SMG3 WPA 95A dated 29th August 1995 
(Nokia Telecommunications) , see particularly point 5 "HSCSD 
Architecture". This provides the advantage of enabling larger 
quantities of information to be transmitted per unit of time 
(applicable particularly to data transmissions) , but has the 
drawback of increasing bandwidth. 



8UMMARY OP THE INVENTION 



The inclusion in a GSM system of two or more time slots 
instead of one time slot for one and the same radio transmis- 
sion in accordance with the aforegoing creates certain 
problems when encryption and authorization checks are to be 
employed. 

The most obvious procedure would be to process each of the 
time slots separately and to process the information in 
accordance with earlier known principles. However, such 
procedures would require drastic modification to the existing 
signalling protocols and to equipment on both the network 
side and the mobile station side. 

It would be desirable to avoid such modifications to existing 
standards and equipment to the greatest possible extent. The 
use of the same pseudo-random sequence for all time slots 
within one and the same frame and for a given frame number 
is proposed in the aforementioned ETSI document, ETSI/ T doc 
SMG3 , "First hscsd stage 2 draft". The drawback with this 
method is that it is necessary to compromise between encryp- 
tion safety and procedure simplicity, when two separate 
bursts belonging to one and the same user are transmitted in 
this manner while using the same encryption sequence (pseudo- 
random random sequence) , the influence of the encryption can 
be eliminated relatively simply, by carrying out simple EXOR 
operations. 
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Th» object of the present Invention is therefore to provide 
-ethods for reliable encryption in respect of authorLati™ 
checks in a Tim-type mobile radio system in which two or 

™ T °T' U8ed f ° r Dne and «" "~ transmission^ 

without needing to make substantial changes to the signaling 
protocol and/or system equipment. waning 

in this regard, an inventive method is characterized by the 

« IT, in to11 ^ «al» 1- Another liven! 

tive method is characterized by the features set forth in tne 
accompanying Claim 3. Further inventive methods are charac! 
terxzed by the features set forth in accompanying claims 4 

BRIEF DESCRIPTION OF THE DRAWINGS 

The aforesaid inventive methods will now be described in more 
detail with reference to the accompanying drawings. 

Figure i illustrates schematically signalling between a 
network side and a mobile station side in a mobile radio 
system during the authorization check procedure. 

Figure 2 is a block diagram illustrating known information 
encryption in the system illustrated in Figure 1. 

Figure 3 is a block diagram which symbolizes the algorithms 
used in two of the inventive methods. 

Figure 4 is a block diagram symbolizing the algorithms used 
in a third inventive method. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Figure 1 is a simplified schematic illustration of a mobile 
radio system, for instance a GSM-system. The system has a 
network side "NETWORK" and a mobile station side "Mobile" 
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The network side includes a base station system BSS which is 
connected to a mobile switching centre MSC, which is connect- 
ed, in turn, to the public telephone network (not shown) . The 
base station system BSS typically includes a base transceiver 
5 station BTS and a base station controller BSC (not shown) . 
in reality, a plurality of base station systems are connected 
to the mobile switching centre MSC on the network side, while 
the mobile station side includes a plurality of mobile 
stations that can communicate simultaneously with the base 
10 station system BSS. The network side and the mobile station 
side transmit information via radio signals over an air 
interface which is symbolized in Figure l with the reference 
TR. 



Before the actual information is transmitted and received 
between the network and a given mobile station MS, the 
network is obliged to check the authorization of the mobile 
station MS. This authorization check is carried out in 
accordance with known principles, whereby the network, i.e. 
the base station system BSS, sends a random number (so-called 
••random challenge") RAND to the mobile station MS over a 
dedicated control channel DCCH. 



The mobile station MS receives the random number RAND and 
forms a response SRES (signed response) from this random 
number and from the mobile station's own key Ki in accordance 
with a given algorithm A3, as described on page 50 of the 
aforesaid ETS I/GSM 03.20. 



At the same time, the mobile station MS compiles an encryp- 
tion key Kc from the key Ki in accordance with another 
algorithm A8, although only the response SRES is sent to the 
base station system BSS, while the encryption key Kc is used 
in the encryption carried out in the mobile station in 
accordance with the following, a comparison is made in the 
base station system BSS with corresponding values of SRES 
calculated by the mobile switching center (MSC) in accordance 
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with the sane conventional alaorithme », » ^ . 

. « r — ... . . — t^z::^^: 

Thus, the network includes an algorithm block AN whi eh - 
and carries out an authorization ^ v • stores 
algorithms A3 and A8 and 

-1 . ^, encryption in accordance with 

algorithm A5. The mobile static Me , ^ WAth 1:116 

tion check i„ accordance with the same algorithms as 
ind *» accordance with the algorithm L 

^nteT^l^ ! C J" * «» -witching 

center (MSC) on the basis of the mobile staHnm. ~ ^ 

™ I*! UbSe9Uent to «» authorization check, 

(algorithm AS,, the mobile telephone switching centre me 

««. of payload information can be commenced with the aiTof 
the agreed encryption key Kc. 

Figure 2 illustrates schematically th. ma^er in which the 
payload information is encrypted and formatted for Sail 
sion over two time slots tsi t« j_ 

TB1 ' 182 in accordance with the 

aforesaid NOKIA proposal. 

Normally, the payload information is divided from e o a 

IZVJTl lnto one or more bloo,M — • - "r;i:; 9 -;„: 

anf seln , """^ *» — «*»». with the algorithm AS 
and sent during , burst in a given time slot, optionally 

block 1 T/ 1 * blOCk - "» ~* encrypted 

block then follows. As illustrated in Figure 2, when two^ime 

slots in a given frame are available, .„ information bio* 
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is now divided into two sub-blocks Bl and B2, each containing 
114 bits, and each block is encrypted with the same pseudo- 
random sequence PS of 114 bits as normal, by carrying out two 
EXOR operations shown in Figure 2. 

5 

The pseudo-random sequence PS is obtained from an ordinal 
number FN of the frame in which the time slots TS1, TS2 are 
located whose information (blocks Bl and B2) shall be 
encrypted. Two encrypted information blocks BK1 and BK2 are 

10 obtained and these blocks are then formatted by inserting a 
sync, and training sequence in a known manner (marked with 
X in Figure 2) . As before mentioned, the drawback with this 
encryption method is that the same encryption sequence is 
used two times for two separate time slots which means that 

15 non-encrypted information can be recovered from each of the 
two time slots by an EXOR operation between the encrypted 
information. 



in accordance with the present invention, the time slot 
ordinal number or an equivalent to this number is inserted 
into the frame as a further parameter when encrypting. As a 
result, when transmitting in two time slots within the same 
frame, the transmitted information will be independently 
encrypted and encryption security therewith further enhanced 
in comparison to the case when only the frame number (in 
addition to the encryption key) is used, if, as is normal, 
a user uses only one time slot per frame, no time-slot 
dependent encryption is required because the user's authori- 
zation key is unique for a certain time slot. By modifying 
the input parameters (code key Kc, frame number FN) in direct 
dependence on the ordinal number of a time slot in a frame 
in accordance with the present invention, it is possible to 
apply the original algorithms without needing to make any 
substantial change to the signalling protocol, as before 
described, or to the radio equipment. 
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Figure 3 is a block diagram illustrating the use of the 
original algorithm AS with modified input magnitudes in 
accordance with the present invention. 

5 T h lT, ? ^ 3 Syab ° lia * s -iginal algorithm 

A5, which is specified in accordance with GSM 03.20. The 
encryption key Kc is now modified in accordance with the 
ordinal number TSn«TSl of the relevant time slot, namely the 
time slot in the frame during which a first block Bl accord- 

10 ing to Figure 2 shall be transmitted (possibly interfoliated 
with an adjacent block, although the principle is the same) . 
in this regard, circle 1 symbolises a calculation algorithm 
AI/51 for obtaining a modified value Kcl of the encryption 
key. The same algorithm can be used for all time slots in the 

15 frame, such that 

AIfil(Kc,TSn) = Kcn«. 

It is not necessary to modify all encryption keys and one key 
»ay be identical to the normal encryption key Kc for a given 
time slot. 

Similarly, the frame ordinal number FN is modified in 
dependence on the ordinal number TSn=TSl of the relevant time 
slot in the frame within which the first block Bl in Figure 
2 shall be transmitted, circle 2 therewith symbolizes a 
calculation algorithm ALG2 for obtaining the modified value 
FN- of the frame ordinal number. The same algorithm can be 
used for all time slots in the frame, such that 

AL62(FN,TSn) = FNn ' . 
The two algorithms ALG1 and AIX32 need not be equal. 

35 Furthermore, one of the modified frame numbers FNn- may be 
identical to the normal FN. 
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in both of the aforesaid cases, there Is obtained an output 
magnitude in the form of a modified pseudo-random sequence 
PSm' which is used in the same way as that shown in Figure 



It will be understood that the sequence PSm' can also be 
generated either 

a) by solely using a modified value KC on the encryption key 
and an unchanged value FN on the frame number, i.e. the 
algorithm 2 is not used; or 



b) by solely using a modified value FN' on the frame number 
FN and an unchanged value on the encryption key Kc, i.e. 
15 the algorithm 1 is not used. 

Figure 4 is a block diagram similar to the block diagram of 
Figure 3, but now with totally unchanged input values Kc, FN 
to the algorithm A5. Instead, the time slot ordinal number 
20 TSn (or a value equivalent to said ordinal number) is used 
as a control value for an algorithm ALG3 symbolized by circle 
3 for modifying the normal pseudo-random sequence PS obtained 
from Kc and FN. This algorithm ALG3 may consist in a certain 
permutation, shift, reordering of values, etc., in the 
25 pseudo-random sequence PS, so as to obtain a new sequence 
PSm'. The sequence may optionally be divided into blocks of 
114 bits prior to reformulation, and the values in one or 
more blocks can be mixed to obtain the new values with an un- 
changed number of bits (114) in each block. 



It is also possible to combine the algorithms ALG1, 2 in 
Figure 3 with the algorithm ALG3 according to Figure 4. 

The aforedescribed embodiments of the proposed method relate 
to transmission cases. It will be understood that in the case 
of reception wherein incoming information shall be decrypted, 
the values of Kc and FN and the sequence PS will be modified 
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to Kc. f pn. and PS». respectively in accordance with the 
agreed algorithms AI*l, AIX53 and ALG3 as described above. 
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10 
CLAIMS 



1. A method of encrypting information transmitted between 
a fixed network (MSC, BSS) and a mobile station (HS) in a 
5 mobile radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
divided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TS1, TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
10 encryption is effected by 

• a) forming a pseudo-random sequence (PS) in accordance with 
a given encryption algorithm (A5) from an encryption key (Kc) 
and the ordinal number (FN) of the frame in which the 
information is transmitted; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence (PS) and each block (Bl and B2) of the non- 
encrypted information to obtain encrypted information (BKl 
BK2) ; 

characterized by 

c) modifying said encryption key (Kc) in accordance with a 
given algorithm (ALGl) and in dependence on the ordinal 
number of a time slot (TSn) so as to obtain a modified 
encryption key (Kc«); 

d) forming a modified pseudo-random sequence (PSm») from the 
resultant modified encryption key (KC) in accordance with 
aid encryption algorithm A5) ; and 

e) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm«) and for each block (Bl and B2) 
of the non-encrypted information. 



2. A method according to Claim l, characterised by carrying 
out the operation performed in accordance with e) on the 
information block (Bl) that belongs to the time slot (TS1) 
whose ordinal number has been used to form said modified 
35 encryption key. 
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A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 
radio system that operates in accordance with the time 
divxsion multiple access concept, wherein the information is 
divided into at least two blocks <B1, B2) and transmitted in 
at least two time slots (TSl f TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
encryption is effected by 

a) forming a pseudo-random sequence (PS) in accordance with 
a given encryption algorithm (A5) from an encryption key (Kc) 
and the ordinal number (FN) of the frame in which the 
information is transmitted; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence (PS) and each block (Bl and B2) of non- 
encrypted information to obtain encrypted information (BKl 
BK2); 1 ' 

characterised by 

c) modifying said frame number (FN) in accordance with a 
given algorithm (AI/S2) and in dependence on the ordinal 
number of a relevant time slot (TSn) ; 

d) forming a modified pseudo-random sequence (PSm«) from the 
obtained modified frame number (FN') in accordance with said 
encryption algorithm (A5) ; and 

e) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm») for each block (Bl and B2) of 
non-encrypted information. 



4. A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 

30 radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
divided into at least two blocks (Bl f B2) and transmitted in 
at least two time slots (TS1, TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 

35 encryption is effected by 

a) forming a pseudo-random sequence (PS) from an encryption 
key (Kc) and the ordinal number (FN) of the frame in which 
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the information is transmitted in accordance with a given 
encryption algorithm (A5) ; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence and each block of the non-encrypted informa- 
tion (INPOl) ; 

characterized by 

c) modifying said encryption key (Kc) in accordance with a 
given algorithm (AMI) and in dependence on the ordinal 
number of the relevant time slot (TSn) ; 

d) forming a modified pseudo-random sequence (PSm») from the 
obtained modified encryption key (KC) in accordance with 
said encryption algorithm (A5) ; 

e) modifying said frame number (FN) in accordance with a 
given algorithm (AIA2) and in dependence on the ordinal 
number of a relevant time slot (TSn) ; 

f) forming a modified pseudo-random sequence (PSm») from the 
obtained modified frame number (FN») in accordance with said 
encryption algorithm (A5) ; and 

g) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm») for each block (Bl and B2) of 
the non-encrypted information. 



5. A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 

25 radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
divided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TS1, TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 

30 encryption is effected by 

a) forming a pseudo-random sequence (PS) from an encryption 
key (Kc) and the ordinal number (FN) of the frame in which 
the information is transmitted in accordance with a given 
encryption algorithm (A5) ; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence and each block of the non-encrypted informa- 
tion (INF01) ; 
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characterised by 



c) forming a modified pseudo-random sequence (PSm-) from said 
pseudo-random sequence (PS) in dependence on the ordinal 
number (TSn, of the time slot within which the information 
block (Bl or B2) that is encrypted with the aodified pseudo- 
randoa sequence shall be transmitted in accordance with a 
given algorithm (ALG3) ; and 

d) performing said logic operation (exor, on the modified 
pseudo-random sequence (PSm' ) for each block (Bl and B2) of 

10 the non-encrypted information. 



WO 97/12461 



14 



PCT/SE96/01156 



r » . AMENDED CLAIMS 

[received by the International Bureau on 11 February 1997 (11 02 97)- 
original claims 1-5 replaced by new claims 1-5 (3 pages)] K 

l. A method of encrypting information transmitted between 
a fixed network (MSC f BSS) and a mobile station (MS) in a 
mobile radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
dxvided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TS1, TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
encryption is effected by 

a) forming a pseudo-random sequence (PS) in accordance with 
a given encryption algorithm (A5) from an encryption key (Kc) 
and the ordinal number (FN) of the frame in which the 
information is transmitted; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence (PS) and each block (Bl and B2) of the non- 
encrypted information to obtain encrypted information (BKl 
BK2) ; . 

characterized by 

c) modifying said encryption key (Kc) in accordance with a 
given algorithm (ALG1) and in dependence on the ordinal 
number of a time slot (TSn) so as to obtain a modified 
encryption key (KC); 

d) forming a modified pseudo-random sequence (PSm') from the 
resultant modified encryption key (KC) obtained from each 
of the used time slots and in accordance with aid encryption 
algorithm A5) ; and 

e) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm') and for the respective block 
(Bl and B2) of the non-encrypted information. 

2. A method according to claim l, characterized by carrying 
out the operation performed in accordance with e) on the 
information block (Bl) that belongs to the time slot (TS1) 
whose ordinal number has been used to form said modified 
encryption key. 

AMENDED SHEET (ARTICLE 19) 
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3. A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 
radxo system that operates in accordance with the time 
division multiple access concept, wherein the information is 
divided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TSl, TS2 ) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
encryption is effected by 

a) forming a pseudo-random sequence (PS) in accordance with 
a given encryption algorithm (A5) from an encryption key ( K c) 
and the ordinal number (FN) of the frame in which the 
information is transmitted; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence ( PS ) and each block (Bl and B2) of non- 
encrypted information to obtain encrypted information (BK1 
BK2) ; V ' 

characterized by 

c) modifying said frame number (FN) in accordance with a 
given algorithm (ALG2 ) and in dependence on the ordinal 
number of a relevant time slot (TSn) ; 

d) forming a modified pseudo-random sequence (PSm') from the 
obtained frame number (FN' ) modified for each of the time 
slots used and in accordance with said encryption algorithm 
(A5) ; and 

e) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm' ) for the respective block (Bl 
and B2) of non-encrypted information. 

4. A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 
radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
divided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TSl, TS2) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
encryption is effected by 
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a) forming a pseudo-random sequence (PS) from an encryption 
key (Kc) and the ordinal number (FN) of the frame in which 
the information is transmitted in accordance with a given 
encryption algorithm (A5) ; 

b) performing a logic operation (EXOR) between said pseudo- 
random sequence and each block of the non-encrypted informa- 
tion (INFOl) ; 

characterized by 

c) modifying said encryption key (Kc) in accordance with a 
given algorithm (ALGl ) and in dependence on the ordinal 
number of the relevant time slot (TSn) ; 

d) forming a modified pseudo-random sequence (PSm') from the 
obtained encryption key (Kc' ) modified for each of the time 
slots used and in accordance with said encryption algorithm 
(A5) ; 

e) modifying said frame number (FN) in accordance with a 
given algorithm (ALG2) and in dependence on the ordinal 
number of a relevant time slot (TSn) ; 

f) forming a modified pseudo-random sequence (PSm' ) from the 
obtained modified frame number (FN') in accordance with said 
encryption algorithm (A5) ; and 

g) performing said logic operation (EXOR) on the modified 
pseudo-random sequence (PSm' ) for each block (Bl and B2) of 
the non-encrypted information. 

5. A method of encrypting information transmitted between 
a fixed network (N) and a mobile station (MS) in a mobile 
radio system that operates in accordance with the time 
division multiple access concept, wherein the information is 
dxvided into at least two blocks (Bl, B2) and transmitted in 
at least two time slots (TSl, TS2 ) corresponding to said 
blocks in each frame in a frame sequence, and wherein 
encryption is effected by 

a) forming a pseudo-random sequence (PS) from an encryption 
key (Kc) and the ordinal number (FN) of the frame in which 
the information is transmitted in accordance with a given 
encryption algorithm (A5) ; 
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